Qubes 4.1rc3 on Intel NUC10i7FNK
I did this once before on Qubes 4.0 with help From Frédéric Pierret, but left Qubes on my NUC for Xubuntu due to too many issues with hardware. Intel NUC is not overly Linux friendly friendly. Microsoft is their primary focus.
Then today(of all days) I snuck an install of the promising Qubes 4.1rc3 on the box, and if started with a single error during final install [Start failed: internal error: Unable to reset PCI device 0000:00:1f.6: no FLR, PM reset or bus reset available, see /var/log/libvirt/libxl/libxl-driver.log for details”:
No networking was available upon startup. Disabling the PCI device in question [00:1f.6 Ethernet Controller….] in sys-net, made booting of sys-net possible and luckily wifi worked out-of-the-box.
Hope the above solution might help others in same situation.
Hardening websites with .htaccess
Always use latest php available from your hosting provider:
AddType application/x-httpd-php-latest .php
Using mod_rewrite:
<IfModule mod_rewrite.c>
RewriteEngine On
#Redirect HTTP to HTTPS:RewriteCond %{HTTPS} off
RewriteRule (.) https://%{HTTP_HOST}%{REQUEST_URI}
#Disable compression:
RewriteRule ^(.)$ $1 [NS,E=no-gzip:1,E=dont-vary:1]
</IfModule>
Strict HSTS, CSP, XSFR headers:
<IfModule mod_headers.c>
Header set Content-Security-Policy "upgrade-insecure-requests"
Header set Referrer-Policy "strict-origin-when-cross-origin"
Header set Strict-Transport-Security "max-age=15811200"
Header set X-Frame-Options "DENY"
</IfModule>
Xubuntu and KeePassXC with no browserintegration (snap crap)
Having trouble connecting from browser on a freshly installed Xubuntu. My browser extensions in Firefox acted up. All because of snap is crap (in this regard anyways)
KeePassXC when installed in Xubuntu, uses “snap” and therefore the browser integration does not work. It has to go.
Skype for Linux – unsigned – breaking template updates
Package skypeforlinux_8.62.0.83-1.x86_64.rpm is not signed
My daily patching of my Qubes fedora-32 template failed, and I just found our that Skype might be the reason. I tried starting skype, and found it to be requiring of an update:
This proved faulty, since Microsoft might have given up on Skype, their last update was unsigned and broke updates on one of my fedora-32 templates.
Then I tried forcing the install, since I trusted the package origin, but I saw that the quality of the package might be below par(it does work, though), so I chose to part with Skype for now:
Updating / installing…
1:skypeforlinux-8.62.0.83-1 ################################# [100%]
Redirecting to /bin/systemctl start atd.service
Failed to start atd.service: Unit atd.service not found.
Remember to remove the repo also, if you really mean it 🙂
/etc/yum.repos.d/skype-stable.repo
CCSP/SSCP cram link recommendation:
CCSP SP 800-145, The NIST Definition of Cloud Computing | CSRCNIST Cloud Computing Standards Roadmap – NIST.SP.500-291r2.pdfThe NIST definition of cloud computing – nistspecialpublication800-145.pdfNIST Special Publication 800-88, Revision 1: Guidelines for Media Sanitization | NISTGuidelines for Media Sanitization – NIST.SP.800-88r1.pdfSP 800-37 Rev. 2, RMF: A System Life Cycle Approach for Security and Privacy | CSRCSTAR | Cloud Security AllianceTop Threats to Cloud Computing: Egregious | Cloud Security AllianceCloud Controls Matrix | Cloud Security AllianceThe_Notorious_Nine_Cloud_Computing_Top_Threats_in_2013.pdfTreacherous-12_Cloud-Computing_Top-Threats.pdfWiley Test BanksOWASP Top 10 – 2017 – OWASP_Top_10-2017_(en).pdf.pdfCybraryHome | Cloud Security AllianceImmersive | CybraryStudy resourcesBusiness Impact Analysis WorksheetMicrosoft Threat Modeling Tool overview – Azure | Microsoft DocsDesktop as a Service (DaaS) – Cloud Desktop | CalligoData Leak PreventionTrike | octotrike.orgcloud-computing-benefits-risks-and-recommendations-for-information-securityOWASP Top Ten Web Application Security Risks | OWASP
SSCP SSCP Cert Prep: The Basics SSCP Cert Prep: 1 Access Controls SSCP Cert Prep: 2 Security Operations and Administration SSCP Cert Prep: 4 Incident Response and Recovery SSCP Cert Prep: 3 Risk Identification, Monitoring, and Analysis SSCP Cert Prep: 5 Cryptography SSCP Cert Prep: 6 Networks and Communications Security SSCP Cert Prep: 7 Systems and Application Security AES Crypt – GUI (Linux 64-bit)
KeePassXC risk analysis based setup on fedora-30
Goal: If a new security vulnerability is found in KeePassXC(eg. 0-day), I would like to ensure the fastest possible update, risking the possibility of not being able to use the application.
By updating from an unstable repository, this can, of course, also introduce vulnerabilities, that has just not been detected yet.
I have decided to rather patch known vulnerabilities, using software with potential unknown vulnerabilities, rather than having unpatched known vulnerabilities. That is basically my risk analysis.
Also, if the application fails and is unusable, it might still be better using “forgot password” features, than using a piece of known insecure software. Depends on who you are, and what level you are comfortable with. Every decision needs to be risk based and subjective to the risk taker.
So, lets solely, enable KeePassXC packages, getting updates from a more unstable branch. Put this in your fedora-30 /etc/yum.repos.d/fedora-updates-testing.repo end of first paragraph:
This should be called the frog/rabbit method, since we are litterally jumping ahead of ourselves, just as the remark from Quentin Tarantino in “Four Rooms” movie, states.
And I need ALL testing packages, that actually works, ending up in stable. That’s a premise.
UPDATE: As Samuel Sieb described, it is important to have “–disableexcludes” on the commandline, every time you need to update a package from the testing repository. I just experienced, I could not update the 0-day emergency patch from mozilla to firefox, due to this.
SOLUTION: [user@fedora-30 yum.repos.d]$ sudo dnf upgrade –enablerepo=updates-testing –disableexcludes=updates-testing –advisory=FEDORA-2020-2713adc57f
KeepassXC 2.4.2 on fedora-30
UPDATE: 2.4.2 is in stable now, so this post is not needed anymore…
When QubesOS announced that fedora-30 now is supported by Qubes-OS, I went for it straight away and upgraded my fedora-29 template. All went smooth.
My fedora-web-plugin, told me that my keepassxc was outdated and I needed to download a newer version:
So, checking the versions in fedora showed that fedora-30 is not up to date, unlike fedora-31, so I needed to do an upgrade in testing. Testing was in “3 karma”, whatever that means, but it seemed to be tested fine, just not pushed to stable repository yet. :
So, instead of just downloading the package from keepassxc.org and miss any updates coming in the future, I decided to install from testing repository, and hope that the package will be sent to stable in the near future. I accept the risk that seems to be close non-existing, compared to trusting the stable/testing repo:
sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2019-99e252df7a
The above shows success and the version is as follows on fedora-30:
And by the way, I actually got appreciation for my patreon support :). Please support it
Less than 10 days later we had the same issue, so contemplating on how it is possible to have 1 package using the “updates-testing” repository and the rest run stable (without having the below running in a cron job)
sudo dnf upgrade --enablerepo=updates-testing keepassxc
Windows 10 on Qubes OS 4.0
Sharing my experiences, installing Windows 10 Enterprise on Qubes 4.0, maybe spiced up with the infamous QWT(Qubes Windows Tools 4.0.1.3) installation(Spoiler alert: NOT Working!).
Following this guide, I will try to describe the issues I’ve been encountering accompanied with screenshots. The big issue is getting the Qubes Windows tools to install properly. All my installations have failed, so even though Invisible Things Lab has worked on QWT tirelessly for years, corporate clients, understandably, is more important than a few backers and the community. The backers are apparently not contributing enough, although I might believe that backer numbers would go through the roof, if the tools would work, flawlessly on windows 10. If you want to contribute to Qubes OS, please donate either once or continuously here. And if you have the skills and tools to make QWT v.4.0.2.0, then please create an indiegogo(or similar) crowdfunding campaign. I’m sure it will be backed.
https://www.qubes-os.org/doc/windows-template-customization/
But, let’s go and take som challenges. The first one is that fedora doesn’t support exFAT (crazy as it sounds, and I wrote about this before here), and debian does. That means I have to use a debian appVM to share the ISO file to the new Windows 10 VM. unless, there is another way.
So, due to the crash of windows 10 after installation of Qubes Windows Tools, it is recommended that you use freerdp, rdesktop or similar to connect to your Windows system, being able to copy/paste clipboard and files, etc. This is a workaround to use clipboard and filesharing, still.
When the restart is performed, Qubes does a bunch of things, such as moving the user directory from C: to the newly created private drive of 2GB(E:). That fails horribly, btw:
So after installing qubes tools, the system won’t boot. Just like : https://github.com/QubesOS/qubes-issues/issues/4352.
Hopefully QWT will be released at some point.
Enabling a bare minimum of WordPress Security
Running a CMS on any website can be cumbersome, constantly checking for updates, manually updating and securing the configuration, if it’s not secure-by-default. A big help is the auto-updating feature of WordPress and the plugins helping administering this. Also the security plugins, minimizing bot attacks and evil doers is also comforting and needed in a hostile environment, such as the internet.
Disabling comments and creation of users is recommended, if not needed. Exploits has been seen that elevates privileges.
So my recommendation is to follow these steps as a bare minimum:
Plugins to install and configure:
Meta Generator and Version Info Remover
UpdraftPlus(if you need backup, due to your host providers lack thereof)
Use WPScan and Nikto2 from a kali VM, regularly, to test your website for vulnerabilites, misconfiguration, etc. Follow the recommendations and secure your website as much as you feel adequate. removing obvious readme files, using .htaccess, etc.